MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c528cd58be0b7d450d7f94ee72e15b42059a28937ad39d73a915861e72e5932. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8c528cd58be0b7d450d7f94ee72e15b42059a28937ad39d73a915861e72e5932
SHA3-384 hash: 5c4f63c25cfeaecf7012dbe46a09352d29ba868c40c397c85eaa3d268e1663ce6ed6223bacf4d24411b2f613746c8fe4
SHA1 hash: 5024ad1abe7c4ece43451884f28691ebc146d664
MD5 hash: c016c5be4015dc8a1e6632f67f57c5da
humanhash: mobile-hamper-chicken-december
File name:SO 敬鵬 KEE-JKT 0731.DOCX.scr
Download: download sample
Signature XWorm
Create hunting rule
File size:495'104 bytes
First seen:2023-07-27 10:14:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:Ff2iN2GUL94UpL6RXLPo5lwjVxCHVyiVhJ+:Ff1xUL94Gbw+r
Threatray 685 similar samples on MalwareBazaar
TLSH T135B4121021ECAB2ACDBA63F51AD44A4507F2A96FE230E7692DCD31DB4B637105B91F13
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe scr xworm

Intelligence

File Origin
# of uploads :
1
# of downloads :
301
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SO 敬鵬 KEE-JKT 0731.DOCX.scr
Verdict:
No threats detected
Analysis date:
2023-07-27 10:22:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/51bcfa78-bfc5-42ec-9b74-5eadd9226b28

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/434755/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Gathering data
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/8c528cd58be0b7d450d7f94ee72e15b42059a28937ad39d73a915861e72e5932
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/eafdb2ec-6685-4f5e-9bd6-2a5917a60fa0
Result
Threat name:
XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1281057
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1281057 Sample: SO_#U656c#U9d6c_KEE-JKT_073... Startdate: 27/07/2023 Architecture: WINDOWS Score: 100 25 Found malware configuration 2->25 27 Malicious sample detected (through community Yara rule) 2->27 29 Antivirus detection for URL or domain 2->29 31 6 other signatures 2->31 8 SO_#U656c#U9d6c_KEE-JKT_0731.DOCX.scr.exe 3 2->8         started        process3 file4 23 SO_#U656c#U9d6c_KE...31.DOCX.scr.exe.log, ASCII 8->23 dropped 33 Bypasses PowerShell execution policy 8->33 35 Adds a directory exclusion to Windows Defender 8->35 37 Injects a PE file into a foreign processes 8->37 12 SO_#U656c#U9d6c_KEE-JKT_0731.DOCX.scr.exe 1 8->12         started        signatures5 process6 signatures7 39 Adds a directory exclusion to Windows Defender 12->39 15 powershell.exe 22 12->15         started        17 powershell.exe 3 12->17         started        process8 process9 19 conhost.exe 15->19         started        21 conhost.exe 17->21         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8c528cd58be0b7d450d7f94ee72e15b42059a28937ad39d73a915861e72e5932/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-07-26 00:40:37 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rrjizvml4c35iugx7fhoolqvwqqftiujg6wttvz2sfmgdzzoleza._file
Verdict:
malicious
Similar samples:
48eef18edcc14ccc129e3e475e15bb2f16b33e8acb70e0aac29670dd0ce68161
XWorm
83705fb44730441949f46455f2076211d6f9d3739a622bb277d3e9c03ddd592e
XWorm
88e5b0195785890d324ec49f11d0fcfd1f33c0b61d364825e6bb04831abc7fbf
XWorm
9c4729e8b07e00f05876ed556d5c27a993a60979374b7fdafe69c0aca66a7281
XWorm
a19c0c04a2c24a58561e7e3ac33044236b7978c2b7f18958e52af6a37705b6b5
XWorm
aafd707672f8c520542b9a1ef2c675f057fe3d2a96262e363c11c8c542a68a2c
XWorm
c1b9e627f3beaa8e365c0bdc240435e2eaf47b664d28d1c2c2fd859bd9373d7e
XWorm
cd704cdaf7397e725eaa339fb7ad3a0ab26f503428eb8eaaf4abb656ae949382
XWorm
e501d14e904214d3bd94574c80ea8a1f18f8853425a2a375fa71a7e6933fb196
XWorm
f9171de76ea630a461f1764aa9c27fadf7e8fcbddfa7a2c3b44067867c029f05
XWorm
+ 675 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230727-l99pzaef4t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
7c85adf10b38855968d44168ac878536bc034d2e9554f880112622666a38b557
MD5 hash:
df01481ba47fe4c675e8f686890a02c5
SHA1 hash:
fc00727c4d4a66b45ff2c9e29d2bd3bd2411f21c
Link:
https://www.unpac.me/results/968338e4-e417-47d6-b4e7-dde64a0c12e9/
SH256 hash:
f5876655969cd4409416a02004df1932bedc208272c693514cf0d736a2e03370
MD5 hash:
e51c8ddc49cc3e1782188a5af16f5e29
SHA1 hash:
c32efb4a143b12642dab043b328ba05c779a3d34
Link:
https://www.unpac.me/results/968338e4-e417-47d6-b4e7-dde64a0c12e9/
SH256 hash:
53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77
MD5 hash:
37e82d3e2864e27b34f5fbacaea759c3
SHA1 hash:
a87024a466e052bff09a170bb8c6f374f6c84c32
Link:
https://www.unpac.me/results/968338e4-e417-47d6-b4e7-dde64a0c12e9/
SH256 hash:
b9a20d6a037273d22acfef040a5ee5eaf300f8ed3cfa174ef8a7c400b3753105
MD5 hash:
f2ddeb90f1d02f7f07a7d4784907f037
SHA1 hash:
03ecca6a926462f1559c29e0d59dd99ed62b60fa
Link:
https://www.unpac.me/results/968338e4-e417-47d6-b4e7-dde64a0c12e9/
SH256 hash:
8c528cd58be0b7d450d7f94ee72e15b42059a28937ad39d73a915861e72e5932
MD5 hash:
c016c5be4015dc8a1e6632f67f57c5da
SHA1 hash:
5024ad1abe7c4ece43451884f28691ebc146d664
Link:
https://www.unpac.me/results/968338e4-e417-47d6-b4e7-dde64a0c12e9/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8c528cd58be0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8c528cd58be0b7d450d7f94ee72e15b42059a28937ad39d73a915861e72e5932

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XWorm

Executable exe 8c528cd58be0b7d450d7f94ee72e15b42059a28937ad39d73a915861e72e5932

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/434755/

Comments